Jinja_dude
Jinja_dude

Reputation: 529

Issue with VPC Service Controls and Ingress Policy on Google Cloud

In our organization, we have configured an Access Policy with a scope for a GCP folder.

Here are the details of our configuration:

  1. Access Policy:

    • Name: accessPolicies/XXXXX
    • Scope: GCP Folder
  2. Access Level:

    • Name: accessLevels/Access_Level_Restriction
    • Filter: Authorized public IPs
  3. VPC Service Perimeter in Dry Run mode:

    • Name: servicePerimeters/vpc_perimeter
    • Resources to protect:
      • Projects: All GCP projects in the GCP folder
      • Networks: All VPCs of the protected GCP projects
    • Restricted Services: All services
    • VPC Accessible Services: N/A
    • Access Levels: N/A
    • Ingress Policy:
      • From: Any Identity (Source: Access Level: Access_Level_Restriction)
      • To: All projects, All services
    • Egress Policy:
      • From: Any Identity
      • To: All projects, All services

We have enabled the VPC SC / WIF feature for our organization.

Issue Encountered:

When connected via Workforce Identity Federation (WIF) or Cloud Identity, I can access Compute Engine to list instances in the GCP project project_id. However, when filtering logs with log_id("cloudaudit.googleapis.com/policy") AND severity="error" AND protoPayload.metadata.dryRun="true", I receive VPC Service Controls errors in Dry Run mode stating:

(Dry Run Mode) Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: XXXXXXX

Error Details:

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog [invalid URL removed]",
    "status": {
      "code": 7,
      "message": "(Dry Run Mode) Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: XXXXXXX",
      "details": 
        {
          "@type": "[type.googleapis.com/google.rpc.PreconditionFailure [invalid URL removed]",
          "violations": [
            {
              "type": "VPC_SERVICE_CONTROLS",
              "description": "XXXXXXX"
            }
          ]
        }
      ]
    },
    "authenticationInfo": {
      "principalEmail": "anonymized_email@domain.com"
    },
    "requestMetadata": {
      "callerIp": "MY_IPV4",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "compute.beta.ProjectsService.Get",
    "resourceName": "projects/XXXXXXXXX",
    "metadata": {
      "deviceState": "Unknown",
      "ingressViolations": [
        {
          "servicePerimeter": "accessPolicies/XXXXX/servicePerimeters/vpc_perimeter",
          "targetResource": "projects/XXXXXXXXX"
        }
      ],
      "intermediateServices": [
        "cloudclient-pa.googleapis.com"
      ],
      "securityPolicyInfo": {
        "organizationId": "XXXXXXXXX",
        "servicePerimeterName": "accessPolicies/XXXXX/servicePerimeters/vpc_perimeter"
      },
      "vpcServiceControlsUniqueId": "XXXXXXX",
      "@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata [invalid URL removed]",
      "dryRun": true,
      "resourceNames": [
        "project_id"
      ],
      "violationReason": "NO_MATCHING_ACCESS_LEVEL"
    }
  },
  "insertId": "XXXXXXXXX",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "compute.beta.ProjectsService.Get",
      "service": "compute.googleapis.com",
      "project_id": "project_id"
    }
  }

Questions:

  1. Why does this error appear even though the IP is authorized in the ingress policy?
  2. Is it necessary to explicitly add the access level in the service perimeter despite the configuration via the ingress policy?

Upvotes: 0

Views: 387

Answers (1)

x-zone-cat
x-zone-cat

Reputation: 552

Why does this error appear even though the IP is authorized in the ingress policy?

This should be connected on group policy to allow explicitly the access level, link

Is it necessary to explicitly add the access level in the service perimeter despite the configuration via the ingress policy?

It is recommended to explicitly add the access level in service parameter as described in this link

Upvotes: 0

Related Questions